I''m using rails3. It does not seem to check the authenticity_token
when doing a POST using Ajax. I traced this to:
module ActionDispatch
class Request < Rack::Request
.....
def forgery_whitelisted?
get? || xhr? || content_mime_type.nil? || !
content_mime_type.verify_request?
end
end
so you don''t check if its a get? or a xhr? (ie ajax request). Is this
correct?
--
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.
On Sep 21, 7:43 am, Ft51 <mrfredtr...-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org> wrote:> I''m using rails3. It does not seem to check the authenticity_token > when doing a POST using Ajax. I traced this to: > > module ActionDispatch > class Request < Rack::Request > ..... > def forgery_whitelisted? > get? || xhr? || content_mime_type.nil? || ! > content_mime_type.verify_request? > end > end > > so you don''t check if its a get? or a xhr? (ie ajax request). Is this > correct?Seems correct to me: GET requests shouldn''t be doing anything where it matters if the request is coming from another domain. XHR requests don''t support cross-domain calls. So you don''t have to worry about it coming from another domain. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Thanks, that makes sense! On Sep 21, 1:15 pm, Tim Shaffer <timshaf...-BUHhN+a2lJ4@public.gmane.org> wrote:> On Sep 21, 7:43 am, Ft51 <mrfredtr...-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org> wrote: > > > I''m using rails3. It does not seem to check the authenticity_token > > when doing a POST using Ajax. I traced this to: > > > module ActionDispatch > > class Request < Rack::Request > > ..... > > def forgery_whitelisted? > > get? || xhr? || content_mime_type.nil? || ! > > content_mime_type.verify_request? > > end > > end > > > so you don''t check if its a get? or a xhr? (ie ajax request). Is this > > correct? > > Seems correct to me: > GET requests shouldn''t be doing anything where it matters if the > request is coming from another domain. > XHR requests don''t support cross-domain calls. So you don''t have to > worry about it coming from another domain.-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
doesnt $.getScript passes from data from one domain to another? -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
On Sep 21, 12:23 pm, radhames brito <rbri...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> doesnt $.getScript passes from data from one domain to another?I doubt it. It probably uses XMLHttpRequest -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
just comfirmed an getscript does cross-domain calls some guys are using it to send https data over http http://www.viget.com/extend/secure-ajax-from-non-secure-pages/ -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
On Sep 21, 2:30 pm, radhames brito <rbri...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> just comfirmed an getscript does cross-domain calls > > some guys are using it to send https data over http > > http://www.viget.com/extend/secure-ajax-from-non-secure-pages/Actually, that page specifically says that it doesn''t work cross domain, or even cross protocol: "the JavaScript same origin policy prevents you from making an Ajax request from your non-secure page to a secure page" And the example doesn''t show any use of cross domain or cross protocol calls. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
class CryptoKeysController < ApplicationController
ssl_required :show
$.getScript(''/profiles/crypto_key?callback=setCryptData'',
he is calling
the show action with htts from a non https page
--
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.
Maybe Matching Threads
- GETSCRIPT Bug in dovecot-1.0.10-MANAGESIEVE-v9.1.diff.gz
- Rails 4: Should a HEAD request not be handled like a GET for CSRF protection?
- CSRF / cached authenticity tokens / ajax requests
- Page Caching, CSRF, and Loading a form via Ajax
- Putting form_authenticity_token (csrf token) in a cookie instead of in meta tags?